0x1 几个关键函数:
一、flag长度:[10,30],flag[7]='A':
int __usercall ctf_get_input@<eax>(int a1@<xmm0>)
{
signed int length; // [esp+D0h] [ebp-8h]
int v3; // [esp+D4h] [ebp-4h]
int savedregs; // [esp+D8h] [ebp+0h]
sub_10D7B4(&unk_276007);
ctf_printf(&unk_2731E0, "Please Input:");
ctf_scanf("%s", buf, 30);
length = ctf_strlen(buf);
if ( length <= 30 && length >= 10 )
{
ctf_strcpy(key, 30, buf);
if ( key[7] != 65 )
{
ctf_print("输入错误;");
ctf_exit(0);
}
ctf_X_transform(key);
}
else
{
ctf_print("输入错误;");
ctf_exit(0);
}
return ctf_stack_check(&savedregs == &v3, 0, a1);
}
二、flag[7]='#',并逐字节与0x1f异或:
int __usercall ctf_X_transform<eax>(int a1@<xmm0>, char *key)
{
unsigned int i; // [esp+D0h] [ebp-8h]
sub_10D7B4(&unk_276007);
key[7] = 35;
for ( i = 0; i < ctf_strlen(key); ++i )
key[i] ^= 0x1Fu;
return ctf_stack_check(1, (int)key, a1);
}
三、通过key的xref找到check函数,调试发现变换后的flag与"urj}pux<}n{iqyrh"比较,相等则输出"ok":
int __userpurge ctf_check@<eax>(int a1@<xmm0>, char *data)
{
unsigned int i; // [esp+E8h] [ebp-14h]
sub_10D7B4(&unk_276007);
if ( data )
{
for ( i = 0; i < ctf_strlen(data); ++i )
data[i] ^= 0x1Cu;
if ( !ctf_strcmp(data, key) )
{
ctf_putchar(&unk_2731E0, 'o');
ctf_putchar(&unk_2731E0, 'k');
}
}
return ctf_stack_check(1, 0, a1);
}
0x2 python代码:
flag = []
s = 'urj}pux<}n{iqyrh'
for c in s:
flag.append(chr(ord(c)^0x1f))
flag[7] = 'A'
print ''.join(flag)
flag为:jmubojgAbqdvnfmw
0x3 PS:
check函数并没在main函数内被调用,拿到flag后跟着调了一下,跟进了10多个call,最后找到如下的位置(这部分应该是编译器附带的代码,(类似析构函数)):
.text:001E3AD2 loc_1E3AD2:
.text:001E3AD2 mov edx, [ebp+var_14]
.text:001E3AD5 mov eax, [edx]
.text:001E3AD7 push eax
.text:001E3AD8 call sub_10BE37
.text:001E3ADD add esp, 4
.text:001E3AE0 mov [ebp+var_40], eax
.text:001E3AE3 mov ecx, [ebp+var_14]
.text:001E3AE6 mov edx, [ebp+var_30]
.text:001E3AE9 mov [ecx], edx
.text:001E3AEB mov eax, [ebp+var_40]
.text:001E3AEE mov [ebp+var_34], eax
.text:001E3AF1 mov ecx, [ebp+var_34]
.text:001E3AF4 call ds:___guard_check_icall_fptr
.text:001E3AFA call [ebp+var_34] //此处调用check函数
.text:001E3AFD mov ecx, [ebp+var_1C]
.text:001E3B00 mov edx, [ecx]
.text:001E3B02 mov eax, [edx]
.text:001E3B04 mov ecx, [eax]
.text:001E3B06 push ecx
.text:001E3B07 call sub_10F3F2
.text:001E3B0C add esp, 4
.text:001E3B0F mov [ebp+var_38], eax
.text:001E3B12 mov edx, [ebp+var_1C]
.text:001E3B15 mov eax, [edx]
.text:001E3B17 mov ecx, [eax]
.text:001E3B19 mov edx, [ecx+4]
.text:001E3B1C push edx
.text:001E3B1D call sub_10F3F2
.text:001E3B22 add esp, 4
.text:001E3B25 mov [ebp+var_3C], eax
.text:001E3B28 mov eax, [ebp+var_38]
.text:001E3B2B cmp eax, [ebp+var_24]
.text:001E3B2E jnz short loc_1E3B38
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2018-12-4 07:55
被mratlatsn编辑
,原因:
